|
[VOTE] Open Policy Agent from incubating to graduated
Amye Scavarda Perrin
The Open Policy Agent project has applied for graduation from incubation to graduated. (https://github.com/cncf/toc/pull/520) The due diligence document can be found here: https://docs.google.com/document/d/19M5fTpe57rQIMNxawRl5wSWvJUapuzY-CkV4O5pvieU/edit Brendan Burns has called for public comment: https://lists.cncf.io/g/cncf-toc/message/5281 Please vote (+1/0/-1) by replying to this thread. Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support! Amye Scavarda Perrin | Program Manager | amye@... |
|||||
|
|
|||||
|
Re: "Steering committee" discussion
alexis richardson
Matt
toggle quoted message
Show quoted text
Thanks. A few quick comments (topline for speed). CNCF Incubation tests for production use and technical DD. It has a high bar. Graduation is oriented towards sustainability including some of the matters you touch on below. Graduation is more about sustainability and governance, than about production use. Those are all related in the end of course. I am a big fan of regular Q&A surveys with maintainers and users "and more". They are a good way to assess health, eg "do you think the project will make more progress in the next 12mo than in the last 12mo? why", and "are you aware of any bad actors". In terms of attracting contributors: complex topic, but the SC can help by being a lighthouse showing many ways to get involved, by showcasing what direction and features need building, and by having clear contributor paths. a On Wed, Sep 30, 2020 at 8:16 AM Matt Wilson <msw@...> wrote:
|
|||||
|
|
|||||
|
Re: "Steering committee" discussion
On Tue, Sep 29, 2020 at 11:05 AM, Liz Rice wrote:
The start of your original email was clear, but the addition of the word "plan" did make it a bit less so. Thank you for the clarification! I've taken the liberty to re-format the thread below to inline replies from earlier messages. I hope that the context doesn't change the meaning of any quoted text from others. On Tue, 29 Sep 2020 at 18:52, Alexis Richardson <alexis@...> wrote:I (speaking only for myself) would like to understand the functionOn Tue, Sep 29, 2020 at 10:48 AM, Bob Wise (AWS) wrote: better. As I understand it, CNCF graduation is a signal that the project has attained a certain level of "maturity". This is like a "Good Housekeeping Seal of Approval" that gives users/customers a signal that they can confidently adopt the software. Maintaining a high quality bar for graduation is important in building the ongoing strong brand of the CNCF, which I think plays a key role in supporting beneficial ecosystems that are part of building and sustaining open-source software. However, I currently view graduation milestones with the same kind of skepticism of some engineering "qualification" practices I've seen, where a product or service is very intensely tested before it is released using tools and procedures that are not integrated into a continuous automated testing system. "Qualification" around a major milestone event gives you a snapshot-in-time view of quality, but modern software changes more rapidly, so you need to be qualifying continuously. So too open-source projects need to change. Communities evolve. Practices change and adapt. Communities that are not able to change and evolve are more likely to become dysfunctional. Rather than obsessing about if a vendor's interest is holding back features, I think you should investigate how contentious decisions are made, and how disputes are resolved among stakeholders. The roadmap/features is only one thing that a development community, or other stakeholders, might disagree about. Liz clarified (above) that a proposed concern is to require functional community control over the roadmap. I would shorten it: require a functional community (in contrast to a dysfunctional community). I think you (the CNCF TOC by applying the graduation seal-of-approval) need to understand what community processes look like in practice, and if is a healthy dynamic that aligns well with what we've learned so far about building sustainable open-source software development communities and commercial ecosystems. That'd be a hard job that I do not envy. One tool that can help assess how well a community is functioning is a free-form response template. But more deeply than how is it functioning, a response template can help trigger, and demonstrate, more mindfulness in community architecture. One I like is included in Python PIP-8002, https://www.python.org/dev/peps/pep-8002/#annex-1-template-questions I think that a well functioning community is one that has a process that enables the evolution of its policies and practices over time. I like that this template asks these questions: 3. How do you like the process? * Which parts work well? * Which parts could work better? * When it doesn't work well, how does it look like? * What would you change if it were only up to you? [...] 5. Process evolution * How did this process evolve historically? * How can it be changed in the future? The SC model could generateFrom my perspective, I care very little about any of these things (though I may not understand what you actually mean). An open-source license is my ultimate contingency plan. What I'm looking for otherwise is a strong, welcoming, self-governing community, along with committed companies participating in a growing commercial ecosystem around the software. Yes, there are a number of reasons why a project may not attractProjects struggling to get maintainers when the owning entity isThis mostly does not happen. Although due to some bad actors, it can. contributors. There are a number of case studies where the overall sentiment and perception was that an open-source project was too closely held by a single commercial entity. Sometimes that has practical impacts in the sustainability of the ecosystem that builds, maintains, and supports the software. In my opinion (biased from my experience and perspective), a key case study in Linux Foundation history is the Xen project. We are fortunate that the late Lars Kurth documented this case study well, see http://slideshare.net/xen_com_mgr/lceu13-xen-project-lessons-learned. When we formed the Xen Project as a Linux Foundation collaborative project, there were a number of _symptoms_ that indicated that the community, the project, and the ecosystem around it were trending toward unhealthy. This was a sustainability concern for many stakeholders, including me. Forming the Xen Project was only _part_ of addressing the problem. People who were most familiar with the Xen community were aware of some the underlying causes of these symptoms, which were reflected in a larger "image" problem for the project. Over many years the project and its community gained a reputation of being difficult to work with, inwardly focused, and not collaborative with other significant parts of the open-source software ecosystem on which Xen was built--namely Linux and QEMU, both of which were extensively modified and maintained as separate "out of tree / not upstream" development branches for many years. Some would call the software "forked". At the time we formed the Xen Project at LF, it already had core maintainers for multiple organizations, despite having earned a reputation of being too closely held by Citrix. There are examples of healthy projects with a small number of people from one organization with "commit bit" access to the canonical repository, and also examples of unhealthy projects that have people from multiple organizations with "commit bit" access. So, I generally agree that the "multi-organization" criterion is not a good one on its own. It _might_ be a symptom that there's something else going on that deserves additional investigation. So, TL;DR? Building a sustainable community is complex. The things that may be the actual underlying risk factors in sustainability/longevity may not be obvious in a surface level inspection. A plan is no guarantee of future success. I think it takes applying mindful, intentional community-building practices and a willingness to adapt. --msw |
|||||
|
|
|||||
|
Re: "Steering committee" discussion
Josh Berkus
On 9/29/20 10:43 AM, Liz Rice wrote:
1. longevity of the project (in the event that a vendor is acquired orWe talked about requiring three things from projects reaching Graduated level: 1. A sustainability/longevity plan 2. A process for community feedback on the roadmap 3. Requiring "contributor ladder" process & documentation If these three things are things that the TOC plans to require, SIG-Contributor Strategy can work on writing guidance for them. The "longevity" portion will require quite a bit of work, though, because there's no real precedent for this that I know of. -- -- Josh Berkus Kubernetes Community Red Hat OSPO |
|||||
|
|
|||||
|
Re: FOSS Governance Library
Paris Pittman
we have been building this for our research and references for the guidance we are creating. the foss governance library is an amazing resource. On Tue, Sep 29, 2020 at 12:42 PM Chris Aniszczyk <caniszczyk@...> wrote:
|
|||||
|
|
|||||
|
Re: FOSS Governance Library
Nothing outside of the PDF, but it's been on the TODO list to convert it to markdown and put it somewhere. I'll look at getting this done though if people find it useful. On Tue, Sep 29, 2020 at 2:39 PM Josh Berkus <jberkus@...> wrote: On 9/29/20 9:45 AM, Chris Aniszczyk wrote: --
Chris Aniszczyk (@cra) | +1-512-961-6719 |
|||||
|
|
|||||
|
Re: FOSS Governance Library
Josh Berkus
On 9/29/20 9:45 AM, Chris Aniszczyk wrote:
This is great!Is there a referencable online version of that paper? -- -- Josh Berkus Kubernetes Community Red Hat OSPO |
|||||
|
|
|||||
|
Re: "Steering committee" discussion
Liz Rice
I think my wording could be better - the graduation requirement should be for functional community control of the project roadmap (not merely a plan for a community-controlled roadmap) On Tue, 29 Sep 2020 at 18:52, Alexis Richardson <alexis@...> wrote:
|
|||||
|
|
|||||
|
Re: "Steering committee" discussion
alexis richardson
"Projects struggling to get maintainers when the owning entity is unwilling to give up control to the community" This mostly does not happen. Although due to some bad actors, it can. Mostly projects are a handful of people on a mission, struggling to make it work, in the face of massive demands and uncertainty. "What would the mechanism used to be sure that a “plan” for a community controlled roadmap becomes a reality?" The SC model could generate * quarterly roadmap * contributor ladder * contingency plan a
|
|||||
|
|
|||||
|
Re: "Steering committee" discussion
Bob Wise (AWS)
What would the mechanism used to be sure that a “plan” for a community controlled roadmap becomes a reality? At present, holding graduation as the milestone for that is, imho, one of the most critical functions the CNCF has.
Projects struggling to get maintainers when the owning entity is unwilling to give up control to the community seems like a natural consequence.
-bw
From: <cncf-toc@...> on behalf of Liz Rice <liz@...>
Thanks everyone who came to the TOC call today - with extra thanks to Alexis for initiating the idea in the first place. I've tried to capture the key points:
Problem statement summary: projects that are controlled by a single vendor struggle to meet the current graduation requirement to have maintainers from multiple organizations (for valid reasons such as, they tend to hire the folks who are expert in that project). This multi-organization requirement is intended to address two concerns: 1. longevity of the project (in the event that a vendor is acquired or goes out of business) 2. ensuring that the project roadmap is community controlled, and not only run in the commercial interest of the vendor (we want to avoid feature hold-back) We recognize that the current multi-org requirement may not be the only (or even necessarily the best) way to address those concerns
Key points
If this broadly reflects the consensus we can start on wordsmithing the graduation requirement changes in GitHub.
Many thanks everyone for your comments and feedback around these ideas!
Liz
|
|||||
|
|
|||||
|
Re: "Steering committee" discussion
alexis richardson
I wish to note that it was @cra's idea. I just wrote about it and
toggle quoted message
Show quoted text
then talked about it a lot. On Tue, Sep 29, 2020 at 6:43 PM Liz Rice <liz@...> wrote:
|
|||||
|
|
|||||
|
"Steering committee" discussion
Liz Rice
Thanks everyone who came to the TOC call today - with extra thanks to Alexis for initiating the idea in the first place. I've tried to capture the key points: Problem statement summary: projects that are controlled by a single vendor struggle to meet the current graduation requirement to have maintainers from multiple organizations (for valid reasons such as, they tend to hire the folks who are expert in that project). This multi-organization requirement is intended to address two concerns: 1. longevity of the project (in the event that a vendor is acquired or goes out of business) 2. ensuring that the project roadmap is community controlled, and not only run in the commercial interest of the vendor (we want to avoid feature hold-back) We recognize that the current multi-org requirement may not be the only (or even necessarily the best) way to address those concerns Key points
If this broadly reflects the consensus we can start on wordsmithing the graduation requirement changes in GitHub. Many thanks everyone for your comments and feedback around these ideas! Liz |
|||||
|
|
|||||
|
Re: FOSS Governance Library
This is great! Here's another solid resource that we put together last year that covers the "openness of projects" along with some criteria to look at. On Tue, Sep 29, 2020 at 11:36 AM Matt Farina <matt@...> wrote:
--
Chris Aniszczyk (@cra) | +1-512-961-6719 |
|||||
|
|
|||||
|
FOSS Governance Library
Matt Farina
Since we have been talking governance, I just noticed a new catalog of FOSS Governance documents launched. It's at https://fossgovernance.org/. It has pointers to many governance docs on many open source projects. Cheers, Matt |
|||||
|
|
|||||
|
Re: OPA to graduation
Andrés Vega
Working in synchronicity from the authentication problem space adjacent to authorization, it has been fascinating to watch OPA evolve and grow in both adoption and maturity.
In every SPIFFE and SPIRE conversation, OPA always surfaces as the best architectural fit for a comprehensive identity and authorization solution. While there is a learning curve to Rego, people do manage to wrap their heads around it as it pays dividends in return. As Joe, I'd like to see overtime further standardization of the APIs. +1 NB Andres |
|||||
|
|
|||||
|
Agenda for TOC meeting for 9/29
Amye Scavarda Perrin
Hi all, We'll be meeting tomorrow at 8am Pacific, discussing graduation requirements around maintainer diversity. Presentation: https://docs.google.com/presentation/d/1Y0hfqLyxt1D0ThmPaQLRsejA8-8xlG5_yy2rGA1-fS4/edit#slide=id.g25ca91f87f_0_168 Thanks! -- amye -- Amye Scavarda Perrin | Program Manager | amye@... |
|||||
|
|
|||||
|
Re: OPA to graduation
alexis richardson
Something something "doomed to reinvent lisp"... +1, nb On Mon, 28 Sep 2020, 20:14 Joe Beda, <jbeda@...> wrote:
|
|||||
|
|
|||||
|
Re: OPA to graduation
Joe Beda <jbeda@...>
+1 NB
Agree with Gareth that there is no silver bullet here. Just like programming languages there are preferences and different needs and no one size fits all solution.
That being said, I think that OPA clearly hits a sweet spot and has a growing community. And the CNCF is welcoming to ~competing projects so graduating OPA doesn’t mean that other alternatives can’t also be supported and part of the CNCF umbrella.
One thing that I’d, personally, like to see is more standardization around the interfaces to these type of systems. Is it possible to replace OPA with another similar system and not have to retool the APIs to the policy engine? Would be interesting to standardize around some other interfaces to OPA too like the way that side-channel data is specified/presented and the way that decision information is surfaced back up to external monitoring/logging systems. (I’ve passed this on to the OPA folks so it should be a surprise to them.)
Joe
From:
cncf-toc@... <cncf-toc@...> +1 NB |
|||||
|
|
|||||
|
Re: [RESULT] Emily Fox approved as co-chair for SIG Security
Santiago Torres Arias <santiago@...>
Congratulations, Emily!
toggle quoted message
Show quoted text
On Mon, Sep 28, 2020 at 08:00:00AM -0700, Amye Scavarda Perrin wrote:
Emily Fox for SIG Security Chair: |
|||||
|
|
|||||
|
[RESULT] Emily Fox approved as co-chair for SIG Security
Amye Scavarda Perrin
Emily Fox for SIG Security Chair: https://lists.cncf.io/g/cncf-toc/message/5303 +1 Binding 7/10 Justin Cormack: https://lists.cncf.io/g/cncf-toc/message/5312 Michelle Noorali: https://lists.cncf.io/g/cncf-toc/message/5315 Liz Rice: https://lists.cncf.io/g/cncf-toc/message/5318 Alena Prokharchyk: https://lists.cncf.io/g/cncf-toc/message/5319 Katie Gamanji: https://lists.cncf.io/g/cncf-toc/message/5325 Saad Ali: https://lists.cncf.io/g/cncf-toc/message/5326 Matt Klein: https://lists.cncf.io/g/cncf-toc/message/5327 +1 NB Justin Cappos https://lists.cncf.io/g/cncf-toc/message/5304 Brandon Lum: https://lists.cncf.io/g/cncf-toc/message/5305 Chase Pettet:https://lists.cncf.io/g/cncf-toc/message/5306 Paris Pittman: https://lists.cncf.io/g/cncf-toc/message/5307 John Hillegass: https://lists.cncf.io/g/cncf-toc/message/5308 Sarah Allen: https://lists.cncf.io/g/cncf-toc/message/5309 Gadi Naor: https://lists.cncf.io/g/cncf-toc/message/5310 Frederick Kautz: https://lists.cncf.io/g/cncf-toc/message/5311 Santiago Torres Arias: https://lists.cncf.io/g/cncf-toc/message/5313 Andrew Martin: https://lists.cncf.io/g/cncf-toc/message/5314 Ricardo Aravena: https://lists.cncf.io/g/cncf-toc/message/5316 Siddharth Bhadri: https://lists.cncf.io/g/cncf-toc/message/5320 Ashutosh Narkar: https://lists.cncf.io/g/cncf-toc/message/5321 Andrés Vega: https://lists.cncf.io/g/cncf-toc/message/5323 Amye Scavarda Perrin | Program Manager | amye@... |
|||||
|
|